This seems like it should be much more straight-forward, but I haven’t been able to get to the bottom of it yet myself.
I’ve got Azure AD synced to local AD using the latest version of Azure AD Connect. I’m using passthrough authentication and password writeback features.
On Windows 10, AzureAD-joined devices, I expect that if a user is logging in with a temporary password (i.e. must be changed on next logon), they should be able to do that at the Windows login screen. But regardless of whether the password is reset on-prem or in AAD, attempts to log in with it result in a “user name or password incorrect” error. If I reset a password and don’t force a change, then you can log in with it.
Has anyone dealt with this? How do you go about having users change their password from the Windows login screen?